Je vous livre sur un plateau d’argent mon petit role ansible d’install bind sur un serveur Debian.
ansible-galaxy init roles/bindNotre rôle ce situe dans roles/bind.
Nos gentilles variables :
roles/bind/defaults/main.yml :
---
suffix_fqdn: linux.man
subnet_list: "{{ansible_all_ipv4_addresses[1].split('.')}}"
subnet: "{{subnet_list[0]}}.{{subnet_list[1]}}.{{subnet_list[2]}}"
subnet_inv: "{{subnet_list[2]}}.{{subnet_list[1]}}.{{subnet_list[0]}}"
ip_first_numbers: "{{ansible_all_ipv4_addresses[1].split('.')[0]}}"
ip_last_numbers: "{{ansible_all_ipv4_addresses[1].split('.')[-1]}}"Les templates énervés :
roles/bind/templates/db.ip.j2 :
;
; BIND reverse data file for eth0 interface
;
$TTL 604800
$ORIGIN {{subnet_inv}}.in-addr.arpa.
@ IN SOA {{ansible_hostname}}.{{suffix_fqdn}}. root.{{suffix_fqdn}}. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS {{ansible_hostname}}.{{suffix_fqdn}}.
{{ip_last_numbers}} IN PTR {{ansible_hostname}}.{{suffix_fqdn}}.
roles/bind/templates/db.mondomaine.j2 :
;
; BIND data file for eth0 interface
;
$TTL 604800
@ IN SOA {{ansible_hostname}}.{{suffix_fqdn}}. root.{{suffix_fqdn}}. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS {{ansible_hostname}}.{{suffix_fqdn}}.
{{ansible_hostname}} IN A {{ansible_all_ipv4_addresses[1]}}roles/bind/templates/named.conf.local.j2 :
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "{{suffix_fqdn}}" {
type master;
file "/etc/bind/db.{{suffix_fqdn}}";
allow-query { any; };
};
zone "{{subnet_inv}}.in-addr.arpa" {
type master;
file "/etc/bind/db.{{ip_first_numbers}}";
};roles/bind/templates/named.conf.options.j2 :
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
{{ansible_all_ipv4_addresses[1]}};
8.8.8.8;
8.8.4.4;
// 212.27.40.240;
// 212.27.40.241;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
version none;
forward only;
// listen-on-v6 { any; };
};Et enfin le fichier des tasks :
roles/bind/tasks/main.yml :
---
# tasks file for roles/bind
- name: install bind9
apt:
name: bind9
state: present
update_cache: yes
when: ansible_os_family == "Debian"
- name: add prefix in /etc/hosts
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.0\.1'
line: 127.0.0.1 localhost.{{suffix_fqdn}} localhost
- name: localhost in nameserver
lineinfile:
path: /etc/resolv.conf
regexp: '^nameserver'
firstmatch: yes
line: nameserver localhost
- name: hooks for avoid dhcp client to update resolv.conf
blockinfile:
create: yes
path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
block: |
#!/bin/sh
make_resolv_conf(){
:
}
- name: chmd +x nodnsupdate
file:
path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
mode: '0751'
- name: create file bind resolv
template:
src: "db.mondomaine.j2"
dest: /etc/bind/db.{{suffix_fqdn}}
- name: create file bind resolv inv
template:
src: "db.ip.j2"
dest: /etc/bind/db.{{ansible_all_ipv4_addresses[1].split(".")[0]}}
- name: create named.conf.local
template:
src: "named.conf.local.j2"
dest: /etc/bind/named.conf.local
- name: create named.conf.options
template:
src: "named.conf.options.j2"
dest: /etc/bind/named.conf.options
## Enable log
- name: create named.conf.log
blockinfile:
create: yes
path: /etc/bind/named.conf.log
block: |
logging {
channel bind_log {
file "/var/lib/bind/bind.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category update { bind_log; };
category update-security { bind_log; };
category security { bind_log; };
category queries { bind_log; };
category lame-servers { null; };
};
- name: add log into named.conf
lineinfile:
path: /etc/bind/named.conf
line: include "/etc/bind/named.conf.log";
- name: restart bind9
service:
name: bind9
state: restarted
when: ansible_os_family == "Debian"Le playbook qui va bien :
install-bind.yml :
---
- name: install bind
hosts: dns
become: yes
roles:
- bindMes articles autour de Ansible : ICI